Generating permission-based security policies

Abstract

For access control in Java or.NET web applications, methods on the runtime stack are examined by the runtime systems for granted permissions, to prohibit from executing untrusted codes. There are quite limited research work on automatically generating security policies for configuring application components. In practice, configuring a security policy of web applications almost relies on the expertise of developers. In this work, we present an approach to automatically generating permission-based security policies for Java applications to pass the runtime authorization. Our technique is based on context-sensitive static proram analysis in the framework of conditional weighted pushdown systems. To tackle with the challenges of access rights analysis such as to statically identify permissions to be examined at stack inspection points, we propose to apply a uniform abstract interpretation of program calling contexts which are used to glue various analysis modules involved in access rights analysis including points-to analysis, string analysis and policy generation analysis. As a result, we can statically identify relevant permissions at the stack inspection sites and perform context-sensitive policy generation analysis.